11
11
# and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
16
# This program is free software: you can redistribute it and/or modify
17
17
# it under the terms of the GNU General Public License as published by
30
30
# Contact the authors at <mandos@fukt.bsnet.se>.
33
from __future__ import division, with_statement, absolute_import
33
from __future__ import division
35
35
import SocketServer
37
38
from optparse import OptionParser
111
107
a sensible number of times
113
109
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
114
servicetype = None, port = None, TXT = None, domain = "",
110
type = None, port = None, TXT = None, domain = "",
115
111
host = "", max_renames = 32768):
116
112
self.interface = interface
118
self.type = servicetype
130
126
if self.rename_count >= self.max_renames:
131
127
logger.critical(u"No suitable Zeroconf service name found"
132
128
u" after %i retries, exiting.",
134
130
raise AvahiServiceError("Too many renames")
135
131
self.name = server.GetAlternativeServiceName(self.name)
136
132
logger.info(u"Changing Zeroconf service name to %r ...",
181
177
secret: bytestring; sent verbatim (over TLS) to client
182
178
host: string; available for use by the checker command
183
179
created: datetime.datetime(); object creation, not client host
185
180
last_checked_ok: datetime.datetime() or None if not yet checked OK
186
181
timeout: datetime.timedelta(); How long from last_checked_ok
187
182
until this client is invalid
203
198
_timeout_milliseconds: Used when calling gobject.timeout_add()
204
199
_interval_milliseconds: - '' -
206
interface = u"org.mandos_system.Mandos.Clients"
208
@dbus.service.method(interface, out_signature="s")
210
"D-Bus getter method"
213
@dbus.service.method(interface, out_signature="s")
214
def getFingerprint(self):
215
"D-Bus getter method"
216
return self.fingerprint
218
@dbus.service.method(interface, in_signature="ay",
220
def setSecret(self, secret):
221
"D-Bus setter method"
224
201
def _set_timeout(self, timeout):
225
"Setter function for the 'timeout' attribute"
202
"Setter function for 'timeout' attribute"
226
203
self._timeout = timeout
227
204
self._timeout_milliseconds = ((self.timeout.days
228
205
* 24 * 60 * 60 * 1000)
229
206
+ (self.timeout.seconds * 1000)
230
207
+ (self.timeout.microseconds
233
self.TimeoutChanged(self._timeout_milliseconds)
234
timeout = property(lambda self: self._timeout, _set_timeout)
209
timeout = property(lambda self: self._timeout,
237
@dbus.service.method(interface, out_signature="t")
238
def getTimeout(self):
239
"D-Bus getter method"
240
return self._timeout_milliseconds
242
@dbus.service.signal(interface, signature="t")
243
def TimeoutChanged(self, t):
247
212
def _set_interval(self, interval):
248
"Setter function for the 'interval' attribute"
213
"Setter function for 'interval' attribute"
249
214
self._interval = interval
250
215
self._interval_milliseconds = ((self.interval.days
251
216
* 24 * 60 * 60 * 1000)
254
219
+ (self.interval.microseconds
257
self.IntervalChanged(self._interval_milliseconds)
258
interval = property(lambda self: self._interval, _set_interval)
221
interval = property(lambda self: self._interval,
259
223
del _set_interval
261
@dbus.service.method(interface, out_signature="t")
262
def getInterval(self):
263
"D-Bus getter method"
264
return self._interval_milliseconds
266
@dbus.service.signal(interface, signature="t")
267
def IntervalChanged(self, t):
271
def __init__(self, name = None, stop_hook=None, config=None):
224
def __init__(self, name = None, stop_hook=None, config={}):
272
225
"""Note: the 'checker' key in 'config' sets the
273
226
'checker_command' attribute and *not* the 'checker'
275
dbus.service.Object.__init__(self, bus,
277
% name.replace(".", "_"))
281
229
logger.debug(u"Creating client %r", self.name)
282
230
# Uppercase and remove spaces from fingerprint for later
288
236
if "secret" in config:
289
237
self.secret = config["secret"].decode(u"base64")
290
238
elif "secfile" in config:
291
with closing(open(os.path.expanduser
293
(config["secfile"])))) \
295
self.secret = secfile.read()
239
sf = open(config["secfile"])
240
self.secret = sf.read()
297
243
raise TypeError(u"No secret or secfile for client %s"
299
245
self.host = config.get("host", "")
300
246
self.created = datetime.datetime.now()
302
247
self.last_checked_ok = None
303
248
self.timeout = string_to_delta(config["timeout"])
304
249
self.interval = string_to_delta(config["interval"])
308
253
self.stop_initiator_tag = None
309
254
self.checker_callback_tag = None
310
255
self.check_command = config["checker"]
313
257
"""Start this client's checker and timeout hooks"""
315
258
# Schedule a new checker to be started an 'interval' from now,
316
259
# and every interval from then on.
317
260
self.checker_initiator_tag = gobject.timeout_add\
323
266
self.stop_initiator_tag = gobject.timeout_add\
324
267
(self._timeout_milliseconds,
327
self.StateChanged(True)
329
@dbus.service.signal(interface, signature="b")
330
def StateChanged(self, started):
335
"""Stop this client."""
336
if getattr(self, "started", False):
271
The possibility that a client might be restarted is left open,
272
but not currently used."""
273
# If this client doesn't have a secret, it is already stopped.
274
if hasattr(self, "secret") and self.secret:
337
275
logger.info(u"Stopping client %s", self.name)
340
279
if getattr(self, "stop_initiator_tag", False):
346
285
self.stop_checker()
347
286
if self.stop_hook:
348
287
self.stop_hook(self)
350
self.StateChanged(False)
351
288
# Do not run this again if called by a gobject.timeout_add
354
Stop = dbus.service.method(interface)(stop)
356
290
def __del__(self):
357
291
self.stop_hook = None
360
293
def checker_callback(self, pid, condition):
361
294
"""The checker has completed, so take appropriate actions."""
295
now = datetime.datetime.now()
362
296
self.checker_callback_tag = None
363
297
self.checker = None
364
298
if os.WIFEXITED(condition) \
365
299
and (os.WEXITSTATUS(condition) == 0):
366
300
logger.info(u"Checker for %(name)s succeeded",
369
self.CheckerCompleted(True)
302
self.last_checked_ok = now
303
gobject.source_remove(self.stop_initiator_tag)
304
self.stop_initiator_tag = gobject.timeout_add\
305
(self._timeout_milliseconds,
371
307
elif not os.WIFEXITED(condition):
372
308
logger.warning(u"Checker for %(name)s crashed?",
375
self.CheckerCompleted(False)
377
311
logger.info(u"Checker for %(name)s failed",
380
self.CheckerCompleted(False)
382
@dbus.service.signal(interface, signature="b")
383
def CheckerCompleted(self, success):
387
def bump_timeout(self):
388
"""Bump up the timeout for this client.
389
This should only be called when the client has been seen,
392
self.last_checked_ok = datetime.datetime.now()
393
gobject.source_remove(self.stop_initiator_tag)
394
self.stop_initiator_tag = gobject.timeout_add\
395
(self._timeout_milliseconds, self.stop)
397
bumpTimeout = dbus.service.method(interface)(bump_timeout)
399
313
def start_checker(self):
400
314
"""Start a new checker subprocess if one is not running.
401
315
If a checker already exists, leave it running and do
436
350
self.checker_callback_tag = gobject.child_watch_add\
437
351
(self.checker.pid,
438
352
self.checker_callback)
440
self.CheckerStarted(command)
441
353
except OSError, error:
442
354
logger.error(u"Failed to start subprocess: %s",
444
356
# Re-run this periodically if run by gobject.timeout_add
447
@dbus.service.signal(interface, signature="s")
448
def CheckerStarted(self, command):
451
@dbus.service.method(interface, out_signature="b")
452
def checkerIsRunning(self):
453
"D-Bus getter method"
454
return self.checker is not None
456
358
def stop_checker(self):
457
359
"""Force the checker process, if any, to stop."""
458
360
if self.checker_callback_tag:
470
372
if error.errno != errno.ESRCH: # No such process
472
374
self.checker = None
474
StopChecker = dbus.service.method(interface)(stop_checker)
476
375
def still_valid(self):
477
376
"""Has the timeout not yet passed for this client?"""
480
377
now = datetime.datetime.now()
481
378
if self.last_checked_ok is None:
482
379
return now < (self.created + self.timeout)
484
381
return now < (self.last_checked_ok + self.timeout)
486
stillValid = dbus.service.method(interface, out_signature="b")\
492
384
def peer_certificate(session):
522
414
(crt, ctypes.byref(datum),
523
415
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
524
416
# Verify the self signature in the key
525
crtverify = ctypes.c_uint()
417
crtverify = ctypes.c_uint();
526
418
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
527
419
(crt, 0, ctypes.byref(crtverify))
528
420
if crtverify.value != 0:
529
421
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
530
422
raise gnutls.errors.CertificateSecurityError("Verify failed")
531
423
# New buffer for the fingerprint
532
buf = ctypes.create_string_buffer(20)
533
buf_len = ctypes.c_size_t()
424
buffer = ctypes.create_string_buffer(20)
425
buffer_length = ctypes.c_size_t()
534
426
# Get the fingerprint from the certificate into the buffer
535
427
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
536
(crt, ctypes.byref(buf), ctypes.byref(buf_len))
428
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
537
429
# Deinit the certificate
538
430
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
539
431
# Convert the buffer to a Python bytestring
540
fpr = ctypes.string_at(buf, buf_len.value)
432
fpr = ctypes.string_at(buffer, buffer_length.value)
541
433
# Convert the bytestring to hexadecimal notation
542
434
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
546
class TCP_handler(SocketServer.BaseRequestHandler, object):
438
class tcp_handler(SocketServer.BaseRequestHandler, object):
547
439
"""A TCP request handler class.
548
440
Instantiated by IPv6_TCPServer for each request to handle it.
549
441
Note: This will run in its own forked process."""
551
443
def handle(self):
552
444
logger.info(u"TCP connection from: %s",
553
unicode(self.client_address))
445
unicode(self.client_address))
554
446
session = gnutls.connection.ClientSession\
555
447
(self.request, gnutls.connection.X509Credentials())
571
463
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
572
464
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
574
# Use a fallback default, since this MUST be set.
575
priority = self.server.settings.get("priority", "NORMAL")
466
priority = "NORMAL" # Fallback default, since this
468
if self.server.settings["priority"]:
469
priority = self.server.settings["priority"]
576
470
gnutls.library.functions.gnutls_priority_set_direct\
577
(session._c_object, priority, None)
471
(session._c_object, priority, None);
580
474
session.handshake()
623
class IPv6_TCPServer(SocketServer.ForkingMixIn,
624
SocketServer.TCPServer, object):
515
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
625
516
"""IPv6 TCP server. Accepts 'None' as address and/or port.
627
518
settings: Server settings
628
519
clients: Set() of Client objects
629
enabled: Boolean; whether this server is activated yet
631
521
address_family = socket.AF_INET6
632
522
def __init__(self, *args, **kwargs):
636
526
if "clients" in kwargs:
637
527
self.clients = kwargs["clients"]
638
528
del kwargs["clients"]
640
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
529
return super(type(self), self).__init__(*args, **kwargs)
641
530
def server_bind(self):
642
531
"""This overrides the normal server_bind() function
643
532
to bind to an interface if one was specified, and also NOT to
674
563
# ["interface"]))
675
return super(IPv6_TCPServer, self).server_bind()
676
def server_activate(self):
678
return super(IPv6_TCPServer, self).server_activate()
564
return super(type(self), self).server_bind()
683
567
def string_to_delta(interval):
746
630
"""Call the C function if_nametoindex(), or equivalent"""
747
631
global if_nametoindex
633
if "ctypes.util" not in sys.modules:
749
635
if_nametoindex = ctypes.cdll.LoadLibrary\
750
636
(ctypes.util.find_library("c")).if_nametoindex
751
637
except (OSError, AttributeError):
756
642
def if_nametoindex(interface):
757
643
"Get an interface index the hard way, i.e. using fcntl()"
758
644
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
759
with closing(socket.socket()) as s:
760
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
761
struct.pack("16s16x", interface))
646
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
647
struct.pack("16s16x", interface))
762
649
interface_index = struct.unpack("I", ifreq[16:20])[0]
763
650
return interface_index
764
651
return if_nametoindex(interface)
678
global main_loop_started
679
main_loop_started = False
791
681
parser = OptionParser(version = "%%prog %s" % version)
792
682
parser.add_option("-i", "--interface", type="string",
793
683
metavar="IF", help="Bind to interface IF")
808
698
default="/etc/mandos", metavar="DIR",
809
699
help="Directory to search for configuration"
811
options = parser.parse_args()[0]
701
(options, args) = parser.parse_args()
813
703
if options.check:
868
758
client_config.read(os.path.join(server_settings["configdir"],
872
tcp_server = IPv6_TCPServer((server_settings["address"],
873
server_settings["port"]),
875
settings=server_settings,
877
pidfilename = "/var/run/mandos.pid"
879
pidfile = open(pidfilename, "w")
880
except IOError, error:
881
logger.error("Could not open file %r", pidfilename)
886
uid = pwd.getpwnam("mandos").pw_uid
889
uid = pwd.getpwnam("nobody").pw_uid
893
gid = pwd.getpwnam("mandos").pw_gid
896
gid = pwd.getpwnam("nogroup").pw_gid
902
except OSError, error:
903
if error[0] != errno.EPERM:
907
762
service = AvahiService(name = server_settings["servicename"],
908
servicetype = "_mandos._tcp", )
763
type = "_mandos._tcp", );
909
764
if server_settings["interface"]:
910
765
service.interface = if_nametoindex\
911
766
(server_settings["interface"])
949
805
# Close all input and output, do double fork, etc.
808
pidfilename = "/var/run/mandos/mandos.pid"
811
pidfile = open(pidfilename, "w")
954
812
pidfile.write(str(pid) + "\n")
958
logger.error(u"Could not write to file %r with PID %d",
961
# "pidfile" was never created
816
logger.error(u"Could not write %s file with PID %d",
817
pidfilename, os.getpid())
966
820
"Cleanup function; run on exit"
986
840
for client in clients:
990
tcp_server.server_activate()
843
tcp_server = IPv6_TCPServer((server_settings["address"],
844
server_settings["port"]),
846
settings=server_settings,
992
848
# Find out what port we got
993
849
service.port = tcp_server.socket.getsockname()[1]
994
850
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"